1. Proposed title of this feature request:
RHCOS CIS Profile

2. What is the nature and description of the request?

• The customer performed a vulnerability scan on their ROSA cluster (v4.14.20) using Prisma Cloud (Enterprise Edition, not pcc-operator).
• The scan identified 20+ critical/high severity vulnerabilities at the node/OS level.
• Refer the attached vulnerability report. (Will be added as comment)
• Some of the vulnerabilities were related to file ownership and permissions. For example, the report suggested modifying permissions on certain files (refer to the report) to 600.
• Looking through the results, only 4 findings are applicable to OCP Platform
  Vulnerabilities applicable to OCP

  Verify that CRI global auth file permissions are set to 444 or more restrictive
  (CIS_OpenShift_1.3.0 - 4.1.1) Ensure that the kubelet service file permissions are set to 600 or more restrictive
  (CIS_OpenShift_1.3.0 - 4.1.5) Ensure that the --kubeconfig kubelet.conf file permissions are set to 600 or more restrictive
  (CIS_OpenShift_1.3.0 - 4.1.7) Ensure that the certificate authorities file permissions are set to 600 or more restrictive

• All the others are related to CIS Linux, which we don't have a profile for.
• The same issue has been discussed in the following slack threads:
• forum-ocp-compliance: https://redhat-internal.slack.com/archives/CHCRR73PF/p1724732484131019
• forum-rhel-coreos https://redhat-internal.slack.com/archives/C999USB0D/p1724643717725979

3. Why does the customer need this? (List the business requirements here)
The customer's infosec team has flagged this as a concern, which is impacting their go-live schedule.

4. List any affected packages or components.
Refer the attached report added in comments [ROSA_Nodes_Compliance_Report_06062024]